the heavy metal that poisoned the droid
play

The heavy metal that poisoned the droid Tyrone Erasmus Introduction - PowerPoint PPT Presentation

Sep 08, 2023 •16 likes •576 views

The heavy metal that poisoned the droid Tyrone Erasmus Introduction Android Security Model Static vs. Dynamic analysis Mercury: New framework on the block Finding OEM problems Techniques for malware How do we fix this?

  1. The heavy metal that poisoned the droid Tyrone Erasmus

  2. • Introduction • Android Security Model • Static vs. Dynamic analysis • Mercury: New framework on the block • Finding OEM problems • Techniques for malware • How do we fix this? • Conclusion

  3. /usr/bin/whoami • Consultant @ MWR InfoSecurity • My 25% time == Android research • Interested in many areas of exploitation

  4. Introduction • Why android?

  5. Security Model • User-based permissions model • Each app runs as separate UID • Differs from conventional computing • Except when shared UIDs are used • App resource isolation

  6. Security Model

  7. Security Model Application 1 Application 2 shared_prefs shared_prefs files files cache cache databases databases UNIX permissions!

  8. Security Model • App manifest = all configuration + security parameters

  9. Security Model Memory corruption vulnerabilities: • Native elements that can be overflowed • Code execution: • In context of exploited app • With permissions of app • Want more privileges? YOU vs. KERNEL

  10. IPC Apps use Inter-Process Communication • Defined communication over sandbox • Exported IPC endpoints are defined in AndroidManifest.xml

  11. IPC - Activities • Visual element of an application

  12. IPC – Services • Background workers • Provides no user interface • Can perform long-running tasks

  13. IPC – Broadcast Receivers • Get notified of system and application events • According to what has been registered • android.permission.RECEIVE_SMS

  14. IPC – Content Providers • Data storehouse • Often uses SQLite • Methods that are based on SQL queries

  15. IPC Summary • All can be exported • Explicitly by exported=true • Implicitly by <intent-filter> • Content Provider exported by default • Often overlooked by developers

  16. IPC Summary Simple Application Rich Application Activity Activity Service Broadcast receiver Content provider

  17. What they all say • Permissions and developer name Hmmm...

  18. Scary Contradictions • Apps containing root exploits • Browser vulnerabilities • Cross-application exploitation

  19. Cross-application exploitation • What can 1 app do to another? • Completely unprivileged • Malware implications • Android-specific attack surface

  20. Static analysis Examine Write Download Extract Understand Decompile attack custom apps manifests entry points vectors POCs

  21. Static analysis • Iterative • Create/ Time consuming Amend Code Analyse Compile Test Upload

  22. Why Dynamic analysis ? VS. • Time-efficient • Better coverage • Re-usable modules

  23. New tool - Mercury • “The heavy metal that poisoned the droid” • Developed by me 

  24. Mercury...What is it? • Platform for effective vulnerability hunting • Collection of tools from single console • Modular == easy expansion • Automation • Simplified interfacing with external tools

  25. Mercury...Why does it exist!? • Testing framework vs. custom scripts • INTERNET permission – malware can do it too! • Share POCs – community additions

  26. Mercury...How does it work? Client/Server model • Low privileges on server app • Intuitive client on pc Client Server ( On PC) ( On Device)

  27. Mercury...Show me your skills • Find package info • Attack surface • IPC info • Interacting with IPC endpoints • Shell

  28. Interesting fact #1 ANY app can see verbose system info • Installed apps • Platform/device specifics • Phone identity

  29. Impact Profile your device • Get exploits for vulnerable apps • Better targeting for root exploits • Use this info track you • Only Required permission: INTERNET

  30. Interesting fact #2 • Any app with no permissions can read your SD card • It is the law of the UNIXverse

  31. Impact • A malicious app can upload the contents of your SD card to the internet • Photos • Videos • Documents • Anything else interesting? • Only Required permission: INTERNET

  32. Debuggable apps • More than 5% of Market apps • Allow malicious apps to escalate privileges • debuggable=true Open @jdwp-control socket 

  33. Mercury...So I can extend it? • Remove custom-apps == Quick tests • Create new tools • Share exploit POCs on GitHub • Some cool modules included already: • Device information • Netcat shell • Information pilfering OEM apps

  34. Mercury...Dropbox example • Custom exploit app • No structure for debugging

  35. OEM apps • Pre-installed apps often == vulnerabilities • Many security researchers target these apps

  36. OEM apps Lets find some leaky content providers! • Promise of: • Information pilfering glory • Rampant SQLi • No custom app development

  37. Research findings Leaks instant messages from: • Google Talk • Windows Live Messenger • Yahoo! Messenger

  38. Research findings Leaks: • Facebook • MySpace • Twitter • LinkedIn

  39. OEM apps HTCloggers.apk allows any app with INTERNET • ACCESS_COARSE_LOCATION • ACCESS_FINE_LOCATION • ACCESS_LOCATION_EXTRA_COMMANDS • ACCESS_WIFI_STATE • BATTERY_STATS • DUMP • GET_ACCOUNTS • GET_PACKAGE_SIZE • GET_TASKS • READ_LOGS • READ_SYNC_SETTINGS • READ_SYNC_STATS

  40. Research findings Leaks: • Email address and password • Email content • IM & IM contacts

  41. Research findings Leaks: • SMS using SQLi • Credits to Mike Auty – MWR Labs • Feels so 2000’s

  42. OEM apps Steps to win: • Webkit vulnerability • Browser has INSTALL_PACKAGES • Exported recording service • Bugging device 

  43. Research findings Leaks: • SMS • Emails • IMs • Social Networking messages

  44. Research findings Leaks: • Portable Wi-Fi hotspot • SSID • WPA2 password

  45. Research findings • Have found more than 10 similar type vulnerabilities • Across many OEM apps

  46. Research findings - Impact An app with 0 granted permissions can get: • Email address and password • Email contents • SMS • IM & IM contacts • Social networking messages • Call logs • Notes • Current city • Portable Wi-Fi hotspot credentials

  47. Why is this happening? Manufacturers bypass OS features • Lack of knowledge? • Tight deadlines?

  48. Malware deluxe Building a user profile • Installed package info • Upload entire SD card • Pilfer from leaky content providers • Get device/platform info

  49. Malware deluxe Useful binaries for device/platform info • toolbox • dumpsys • busybox Promise of: • Useful info

  50. Malware deluxe Dirty tricks • Pipe a shell using nc • Crash the logreaders Promise of: • Shells - everybody loves ‘ em  • Someone actually doing this 

  51. Malware deluxe Fresh exploits • Installed apps + versions • Download latest available exploits • Exploit vulnerable apps for fun/profit • Same goes for root exploits

  52. Android the blabbermouth Permissions required: android.permission.INTERNET

  53. Which would you install?

  54. How do developers fix this? • Can’t help Android vulnerabilities • Can make secure apps • Stop information being stolen from your app • Check exposure with Mercury

  55. Mercury – Future plans • Testing ground for exploits of all kind • Full exploitation suite?

  56. return 0; • Feedback forms • Questions?

Recommend

Everything Goes Through The Binder A Hack in Three Acts Act I Know Your Droid Act II

Everything Goes Through The Binder A Hack in Three Acts Act I Know Your Droid Act II

MAN IN THE BINDER: HE WHO CONTROLS IPC, CONTROLS THE DROID Everything Goes Through The Binder A Hack in Three Acts Act I Know Your Droid Act II Atuack Your Droid Act III Prepare Your Droid Meet The Cast The Authors Nitay

1.16k views • 61 slides
Identification of particulate heavy metal pollution sources in urban river sediment using

Identification of particulate heavy metal pollution sources in urban river sediment using

Identification of particulate heavy metal pollution sources in urban river sediment using scanning electron microscopy coupled with energy dispersive spectrometer (SEM-EDS) Cindy Rianti PRIADI Laboratoire des Sciences du Climat et de

293 views • 27 slides
Dynamics of heavy metal (Ni, Cu) and sulfur (S) content in tree-ring of larch affected by

Dynamics of heavy metal (Ni, Cu) and sulfur (S) content in tree-ring of larch affected by

Dynamics of heavy metal (Ni, Cu) and sulfur (S) content in tree-ring of larch affected by industrial pollution from the Norilsk smelters A.I. Fertikov 1,2 , A.V. Kirdyanov 2 , A.S. Shishikin 2 1 Siberian Federal University, Krasnoyarsk

477 views • 19 slides
Plant protein production under the effect of wastewaters and heavy metal pollution D.

Plant protein production under the effect of wastewaters and heavy metal pollution D.

Plant protein production under the effect of wastewaters and heavy metal pollution D. Papaioannou, I. K. Kalavrouziotis, P. H. Koukoulakis, F. Papadopoulos, P. Psoma, A. Mehra Prof. Dr. Ioannis K. Kalavrouziotis Hellenic Open University

326 views • 16 slides
Mercury in Fish What is Mercury? Mercury (Hg), a toxic element, is a famous heavy metal found in

Mercury in Fish What is Mercury? Mercury (Hg), a toxic element, is a famous heavy metal found in

Mercury in Fish What is Mercury? Mercury (Hg), a toxic element, is a famous heavy metal found in the earths crust. It enters our environment through: Natural Sources - weathering of rocks, volcanic eruptions and deep-sea vents. Man-made

328 views • 4 slides
Client Name Corrosion, Erosion, and Wetted Parts A Heavy Metal Discussion Location: Project

Client Name Corrosion, Erosion, and Wetted Parts A Heavy Metal Discussion Location: Project

Client Name Corrosion, Erosion, and Wetted Parts A Heavy Metal Discussion Location: Project Title By Eric Lofland Date Scope of This Presentation Explain some of the basic features of steels Define the principle problems in material

785 views • 55 slides
PLATFORM PRESENTATION SCHEDULE Heavy Metal and Organic Chemicals. Indumathi 5:15 1085. Indoor Air

PLATFORM PRESENTATION SCHEDULE Heavy Metal and Organic Chemicals. Indumathi 5:15 1085. Indoor Air

PLATFORM PRESENTATION SCHEDULE Heavy Metal and Organic Chemicals. Indumathi 5:15 1085. Indoor Air Quality Survey of Boston Nail M Nambi , and Ambika M, Salons. Meda Kisivuli , Liza Ansher, Ariana Tuesday Morning, June 26, 2012 4:25 808.

596 views • 13 slides
Heavy metal stabilization in EAFD 22-26 June 2015 using magnesia and Sorel cements E. Ntinoudi 1

Heavy metal stabilization in EAFD 22-26 June 2015 using magnesia and Sorel cements E. Ntinoudi 1

31 st International Conference of Society for Environmental Geochemistry &amp; Health Heavy metal stabilization in EAFD 22-26 June 2015 using magnesia and Sorel cements E. Ntinoudi 1 , H. Yiannoulakis 2 , Th. Zampetakis 2 , A.I. Bratislava

268 views • 14 slides
A Sense of Identity During the Tudor ages, knights fought battles dressed in heavy, metal

A Sense of Identity During the Tudor ages, knights fought battles dressed in heavy, metal

A Sense of Identity During the Tudor ages, knights fought battles dressed in heavy, metal armour. Even their faces were completely covered. This meant no one could tell who they were fighting! Knights began painting the colours and symbols

434 views • 15 slides
NWRDC Skyward Mobile Presentation Apple Products iPhone and iPad HTC Droid Phone and the Kindle

NWRDC Skyward Mobile Presentation Apple Products iPhone and iPad HTC Droid Phone and the Kindle

NWRDC Skyward Mobile Presentation Apple Products iPhone and iPad HTC Droid Phone and the Kindle Fire (uses Droid technology) Users can use the browser on any of these and like devices with the following URL http://mobile. DISTRICTNAME

581 views • 5 slides
iGEM 2009 Team Newcastle Introduction Environmental project Heavy metal pollution in soil

iGEM 2009 Team Newcastle Introduction Environmental project Heavy metal pollution in soil

iGEM 2009 Team Newcastle Introduction Environmental project Heavy metal pollution in soil Cadmium accumulation issue Image: http://www.enst.umd.edu/people/Weil/ResearchProjects.cfm Use of engineered micro-organisms What can our

973 views • 47 slides
The Heavy Metal Movement: Phase II A field and laboratory study of Panicum virgatum L. and its

The Heavy Metal Movement: Phase II A field and laboratory study of Panicum virgatum L. and its

The Heavy Metal Movement: Phase II A field and laboratory study of Panicum virgatum L. and its ability to phytoremediate soil from the Tar Creek Superfund Site McKalee Steen Grove High School Grove, OK Purpose The purpose of this project is

372 views • 25 slides
Heavy Metal Hazardous Waste Disposal Site Octavius V Catto School Redevelopment Project

Heavy Metal Hazardous Waste Disposal Site Octavius V Catto School Redevelopment Project

Delineation, Remediation and Redevelopment of a Heavy Metal Hazardous Waste Disposal Site Octavius V Catto School Redevelopment Project Camden, New Jersey J. Stuart Wiswall, P.G., LSRP Keating Environmental Management, Inc. Community

852 views • 52 slides
Phytoremediation of heavy metal-contaminated wastewater by some aquatic plants Nguyen Viet Hung,

Phytoremediation of heavy metal-contaminated wastewater by some aquatic plants Nguyen Viet Hung,

Phytoremediation of heavy metal-contaminated wastewater by some aquatic plants Nguyen Viet Hung, Nguyen Van Noi, Nguyen Dinh Bang Faculty of Chemistry, Hanoi University of Science, Vietnam National University Introduction ! With her Open

313 views • 17 slides
AVIATION ISNT JUST HEAVY METAL Kit agents &amp; manufacturers seminar February 2016

AVIATION ISNT JUST HEAVY METAL Kit agents &amp; manufacturers seminar February 2016

AVIATION ISNT JUST HEAVY METAL Kit agents &amp; manufacturers seminar February 2016 Kit agents &amp; manufacturers seminar February 2016 A leading organisation in powered sport flying c . 7,800 members Administers c.2,700

399 views • 14 slides
AN ANDR DROID OID S SECU CURE RE C COM OMMUNICATION UNICATION SYSTE TEM M U USING

AN ANDR DROID OID S SECU CURE RE C COM OMMUNICATION UNICATION SYSTE TEM M U USING

AN ANDR DROID OID S SECU CURE RE C COM OMMUNICATION UNICATION SYSTE TEM M U USING NG S STE TEGAN ANOGRAPH OGRAPHY Kleona Binjaku Elinda Kajo Mee DAAD Workshop &quot;Cooperation at Academic Informatics Education across

972 views • 23 slides
Nix-on-Droid when the low-hanging fruit is also the ripest one Alexander Sosedkin (@t184256)

Nix-on-Droid when the low-hanging fruit is also the ripest one Alexander Sosedkin (@t184256)

Nix-on-Droid when the low-hanging fruit is also the ripest one Alexander Sosedkin (@t184256) recently Red Hat, formerly a plasma physicist 2019-10-26 Running your favourite userland on mobile devices Get rid of Android and port your distro

657 views • 21 slides
CAMDroid CAM Droid An An Ad Adap aptation tation Fr Fram amewo ework rk fo for And r

CAMDroid CAM Droid An An Ad Adap aptation tation Fr Fram amewo ework rk fo for And r

HumanSys 2017 CAMDroid CAM Droid An An Ad Adap aptation tation Fr Fram amewo ework rk fo for And r Andro roid id Cont Co ntext ext-Awa Aware re Mu Multitasking ltitasking Kouemo Ngayo Anatoli Dimitrov 1 , Xi Xiao aolon

459 views • 22 slides
Use of ac)vated CHARcoal in Poisoned Pa)ents (CHARPP Program)

Use of ac)vated CHARcoal in Poisoned Pa)ents (CHARPP Program)

Use of ac)vated CHARcoal in Poisoned Pa)ents (CHARPP Program) Maude St-Onge, Emmanuel Charbonney, Michal Chass, Guillaume Lacombe, Franois Lamontagne,

780 views • 43 slides
Comparative evaluation of an Comparative evaluation of an Eulerian Eulerian CFD and Gaussian

Comparative evaluation of an Comparative evaluation of an Eulerian Eulerian CFD and Gaussian

Comparative evaluation of an Comparative evaluation of an Eulerian Eulerian CFD and Gaussian plume models for CFD and Gaussian plume models for roadside heavy metal deposition roadside heavy metal deposition roadside heavy metal deposition

677 views • 21 slides
THE RI ETVELD METHOD AS A THE RI ETVELD METHOD AS A TOOL FOR ASSESSI NG HEAVY- - TOOL FOR

THE RI ETVELD METHOD AS A THE RI ETVELD METHOD AS A TOOL FOR ASSESSI NG HEAVY- - TOOL FOR

THE RI ETVELD METHOD AS A THE RI ETVELD METHOD AS A TOOL FOR ASSESSI NG HEAVY- - TOOL FOR ASSESSI NG HEAVY METAL I MMOBI LI ZATI ON I N S/ S METAL I MMOBI LI ZATI ON I N S/ S TREATMENT I NVESTI GATI ONS TREATMENT I NVESTI GATI ONS Dimitris

448 views • 16 slides
Hilary The Most Poisoned Baby Name in US History Like horse-racing, Hillary-hating has

Hilary The Most Poisoned Baby Name in US History Like horse-racing, Hillary-hating has

Hilary The Most Poisoned Baby Name in US History Like horse-racing, Hillary-hating has become one of those national pastimes which unite the lite and the lumpen. https://www.youtube.com/watch?v=ZDPIK7Fz_g4

438 views • 24 slides
WHO IS METAL PREP About Metal Prep One of the

WHO IS METAL PREP About Metal Prep One of the

WHO IS METAL PREP About Metal Prep One of the largest providers of hot rolled steel in North America Full service coil coater

462 views • 9 slides
E-mail trends in 2010: How do spammers get your address? Using distributed poisoned addresses to

E-mail trends in 2010: How do spammers get your address? Using distributed poisoned addresses to

Motivation How E-mail works Conventional Wisdom Previous Work Implementation Results Conclusion E-mail trends in 2010: How do spammers get your address? Using distributed poisoned addresses to track harvesting behavior Robert Marmorstein

447 views • 17 slides

More recommend